Introduction to Vista's user account control (UAC) for developers

by Yuval Shavit, Associate Editor

Vista's new security model includes the user account control (UAC) prompt, which users know as the confirmation dialog box that pops up before applications can gain privileged access to the operating system. Learn what UAC is, why Microsoft included it in its latest version of Windows and how you can develop programs that work well with it.

In order to develop programs to run under Vista's user access control (UAC), it's important to understand what it is. UAC, which users know as the annoying prompt that pops up before they can run privileged programs, is intended to bridge the gap between the old, Windows XP security model and Vista's more robust model, said Crispin Cowan, senior project manager at Microsoft's UAC team. This tip, based on his talk at PDC in October, will explain UAC in more depth and show you why it's important not to ignore it or assume users will just turn it off.

You may want to check out our tips on how to elevate UAC privileges correctly in Vista and how to write installers with UAC, both of which are also based on Cowan's talk.

In the days of Windows XP, all users were by default administrators on their machines. This gave developers a lot of flexibility, but it also meant that malware could work without users knowing that anything was happening. Starting with Vista, Microsoft is encouraging people to use computers in standard user mode as much as possible, and even administrator-level users operate with standard user permissions by default. If a program needs administrator privileges, Windows pops up the UAC prompt to elevate it. In essence, Vista has replaced the administrator user mode with a standard user mode that's allowed to temporarily elevate to administrator.

UAC is meant to be a transitional system in Vista for applications that were written for Windows XP, Cowan said. In fact, it's disabled in 64-bit versions of Windows; the reasoning is that developers who are advanced enough to write 64-bit code shouldn't need the "training wheels" UAC provides, Cowan said. It's also not a good idea to ignore UAC and assume that users will turn it off, he said: contrary to conventional wisdom, about 88% of Vista users keep UAC on, according to Microsoft's customer usage data.

You're also going to be under pressure from competitors to eliminate UAC prompts. The number of unique applications that cause UAC prompts is going down, from almost 800,000 in August 2007 to fewer than 200,000 a year later, Cowan said.

The best approach to UAC is to write programs that don't need it. In fact, some large enterprises require you to write programs that work in standard user mode, Cowan said. "If your app doesn't work as standard users, they are not your customer," he said.

Elevating to administrator levels makes you a target for malware, Cowan said. If your code has vulnerabilities but runs in standard user mode, hackers won't be able to use it to gain access to the rest of the machine, so they're more likely to find another program that can gain them that access; if your code has vulnerabilities but runs in administrator mode, it is that other program.

You can ensure your code runs in standard user mode by putting marking your manifest with "asInvoker" and staying away from what Cowin called "the tender bits" of the OS, like DLLs and registry keys. It's often acceptable to read such resources, but opening them in read-write mode will often trigger a UAC prompt, Cowin said; be more specific than GENERIC_ALL when specifying access masks.

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy